Win32/Bflient [Threat Name] go to Threat

Win32/Bflient.K [Threat Variant Name]

Category worm
Size 95232 B
Detection created Aug 17, 2010
Signature database version 10166
Aliases P2P-Worm.Win32.Palevo.avir (Kaspersky)
  W32.Pilleuz!gen11 (Symantec)
  Trojan:Win32/Rimecud.A (Microsoft)
Short description

Win32/Bflient.K is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself into the following location:

  • %appdata%\­sjlp.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Taskman" = "%appdata%\­sjlp.exe"
    • "Shell" = "explorer.exe,%appdata%\­sjlp.exe"
Spreading on removable media

The worm copies itself to the following location:

  • %drive%\­GOLAC\­tornado.exe

The worm creates the following file:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects the following information:

  • cookies
  • user name
  • computer name
  • operating system version

The worm can send the information to a remote machine.

Other information

The worm creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • iexplore.exe

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (4) URLs.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address
  • update itself to a newer version
  • monitor network traffic
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.